Farewell to Facebook

I no longer have a Facebook account. I started my account in 2008, and gathered friends both old and new, but I found myself slowly neglecting the account more and more as time moved on.

I decided to finally close so my Facebook account so it doesn’t contribute to the database linkage accumulation slowdown “which is a major looming problem for web infrastructure and definitely not a thing I just made up”.


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Free Software and its Security Advantages

Everyone loves free software, but not all free software is Free. With software there is a substantial difference between “free”, “Free”, and “open source”.

As an end user Free Software can in some cases offer advantages over closed and proprietary software, especially in the case of software which is relied on for security.

The Definition of Free

The Free Software Foundation defines Free Software as “software that respects users’ freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them.”

Free Software is not about price, but about protecting users freedom to use, modify and distribute software. The four fundamental freedoms that are applicable to Free Software are:

  • The freedom to run the program, for any purpose (freedom 0). Does the software do what it purports to do? Does the software only do what it purports to do, free from any nefarious other uses or intentional back doors that are unknown to you? Is the software secure from attackers;
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1);
  • The freedom to redistribute copies so you can help your neighbour (freedom 2);
  • The freedom to distribute copies of your modified versions to others (freedom 3). Access to the source code of the software is a precondition for the practical exercise of these freedoms. This access is the largest difference between proprietary software and Free Software.

Free Software, and its accompanying freedoms, should not be equated or confused with software that does not have a price; it is possible for a company to charge a price for Free Software, just as it is possible for a company to give away its own proprietary software at no cost. Also, just because software is Free, does not necessarily mean it is not subject to copyright; one method used to protect Free Software is to make it subject to a “copyleft” license, such as the GNU GPL License, which requires modifications to the software to be distributed under the same license, preventing persons from modifying Free Software and re-releasing it as proprietary code.

Free Software is about liberty, not price. As the FSF puts it, “[t]o understand the concept, you should think of ‘free’ as in ‘free speech,’ not as in ‘free beer’.”

The term “open source software” is often incorrectly used interchangeably with the term “Free Software”. With open source software you can usually view and modify source code, but open source software does not necessarily grant all the freedoms associated with Free Software.

Security Advantages Offered by Free Software

When selecting a software to use there are often various programs available, some proprietary and others Free Software. When using any software it is essential to be able to ensure that:

  • the software indeed does what it says it does;
  • the software does not do anything malicious or contain “back doors”; and
  • the software does not contain any exploitable bugs or security flaws.

These concerns are amplified if the software it being used to preform a critical function, to protect systems or store and safeguard confidential information.

Proprietary software is developed in a closed fashion by a limited development team. Nobody has the right or the ability to examine the source code. This means that you are putting your trust in the software’s development team. Unfortunately trust can be placed in the wrong people.

How certain can you be that your encryption software does indeed encrypt your data using the algorithm that it says it does? Does the encryption program implement the algorithm correctly? Does your software phone home or otherwise send requests or information to an unknown server? Does your software contain intentional back doors to allow third parties or law enforcement to circumvent security? Is your software free from security vulnerabilities that can be exploited?

These concerns are addressed by Free Software.

First, with Free Software you can be certain that the software does indeed do
what it purports to do. The source code is available and users are able to examine exactly what the software does and how it aims to do it.

Secondly, because users are able to examine the source code any intentional back doors build into the software can be more easily discerned and anything malicious in the software can be identified.

Thirdly, serious security flaws can be quickly identified and addressed. Linus Law, named in honour of Linus Torvalds, is “given enough eyeballs, all bugs are shallow”. Free Software is often developed by extremely large groups of people, for example the latest Linux report states that more than ten thousand people have contributed to the Free operating system. Arguably the large amount of people actively combing through, improving and adding to the software source code weed out many of the exploitable bugs and security flaws.

Some opponents of Free Software argue that by having code open for inspection it makes software less secure, allowing people to look at the software code, find and exploit flaws. This is an argument in favour of “security through obscurity”, an argument that a security flaw in code is acceptable as long as it is hidden and no body can easily see it. Security through obscurity is never a good idea as it works off of the premise that would be attackers are not looking for vulnerabilities that exist in the proprietary software.

Unfortunately no software can ever provide a guarantee that it is one hundred percent secure, but it should not be necessary to place your trust in a group of developers who may not have your best interests in mind. With Free Software you don’t have to trust so blindly.

Edit: A fascinating perspective on the topic of trusting code is given in this speech by Ken Thompson, published in Communications of the ACM, August 1984 Volume 27 Number 8, entitled “Reflections on Trusting Trust: To what extent should one trust a statement that a program is free from Trojan horses. Perhaps its more important to trust the people who wrote the software”.

“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect …”


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How Existing Human Rights Law Applies to Modern Digital Surveillance

A group of worldwide privacy organizations and advocates have adopted and released a document entitled “The International Principles on the Application of Human Rights to Communications surveillance“.

The document sets out how existing international human rights laws applies in the digital environment and details thirteen principles that must be adhered to by any government in order to comply with current international law.

Importantly, the document addresses the distinction between collection of the content of a communication and the collection of the “communications metadata”, and concludes that the distinction between the two are no longer appropriate; metadata and other non-content data deserves equal protection because it may reveal even more about an individual than the content of the communication itself.

The thirteen principles, based on current international law, outlined in the document are summarized below.

Legality

Any limitation to the right of privacy must be prescribed by a publicly available legislative act, and subject to periodic review.

Legitimate Aim

Laws should only permit surveillance by specified state authorities.

Any surveillance must be conducted to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.

Necessity

Surveillance should not be widespread, but must be restricted only to what is necessary to achieve the legitimate aim.

Surveillance should only be conducted when it is the only method to achieve the legitimate aim, or is the method that is least likely to infringe on the persons human rights.

Adequacy

The surveillance must be able to fulfil the legitimate aim.
Proportionality

Before any state engages in surveillance for the purposes of a criminal investigation it must establish before an independent court that:

  • there is a high degree of probability that a serious crime has been or will be committed;
  • evidence of that crime will be obtained by the surveillance;
  • other less invasive techniques have been exhausted;
  • the information gathered will be limited to that which is relevant to the alleged crime; and
  • the information gathered will only be accessed by the specified authority and used only for the purposes for which permission was granted.

If the surveillance will not put the person at risk of criminal prosecution the state must establish before an independent court that:

  • less invasive investigative techniques have been considered;
  • the information accessed will be confined to what is reasonably relevant and any excess information will be destroyed or returned; and
  • the information gathered will only be accessed by the specified authority and used only for the purposes for which permission was granted.

Competent Judicial Authority

All determinations relating to surveillance should be made by a competent, impartial and independent court which is separate from the authority conducting the surveillance.

Due Process

In the determination of human rights everyone is entitled to a fair and public hearing. The mere risk of flight or destruction of evidence shall never be considered as sufficient to justify retroactive authorization.
User Notification

Users must be notified of a decision authorizing surveillance to enable them to appeal the decision. Delay in notification is justifiable if:

notification would would seriously jeopardize the purpose of the surveillance; or
authorization to delay is granted by the judicial authority; and
the individual is notified within a reasonably practical time period.

Transparency

States must be transparent about the use and scope of surveillance techniques used. States should publish transparency reports detailing the type and nature of surveillance, including the number of surveillance requests approved or rejected, in order for individuals to fully comprehend the scope, nature and application of the laws permitting surveillance.

Public Oversight

Independent oversight mechanisms, which has access to all potentially relevant state information including secret and classified information, must be established. This is to ensure that the state is acting within its lawful authority.

Integrity of Communications and Systems

States should not compel service providers or hardware or software providers to build in surveillance capabilities into their systems; compromising security for the state always compromises general security which would make these systems more vulnerable to attack by unauthorized third parties.

Service providers should not be compelled to collect information purely for state surveillance purposes.

Individuals have the right to express themselves anonymously, and states should not require service providers to identify their users as a precondition
for providing services.

Safeguards for International Cooperation

When concluding multinational mutual legal assistance treaties, states must ensure that when the laws of more than one state applies to the communication then the law which provides the greatest protection to the individual is applied. This prevents states from circumventing their own domestic legal restrictions.

Safeguards Against Illegitimate Access

Legislation criminalizing illegal surveillance by public and private persons, and providing for significant criminal and civil penalties if contravened, must be enacted.

Legal protection must be provided to whistle blowers.

Information obtained in contravention of the principles must be inadmissible as evidence in any proceedings.


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Private Companies, Share Transactions and Regulated Affected Transactions

Are you unknowingly a director or shareholder of a regulated private company? If so, what effect does this have on transactions involving the company’s shares?

The Companies Act, No 71 of 2008 (the new Companies Act) expanded the circumstances in which a private company may be regarded as a regulated company, having the effect that certain provisions of the new Companies Act and the takeover regulations, which would otherwise not be applicable to a private company, are unknowingly applicable to numerous private companies in South Africa. The application of these provisions may have adverse and unforeseen consequences in transactions involving the company’s shares.

In short, a shareholder increasing their shareholding in a regulated company is required to notify the company with each multiple of five percent of the shareholding that it acquires, is required to make a mandatory offer to purchase all remaining shares once its shareholding crosses the prescribed threshold, and may acquire the right to force minorities to sell their shares.

Having a share transaction reversed because the regulatory procedure was not followed, being unknowingly obliged to make a mandatory offer to all shareholders to acquire their shares, or unknowingly becoming a minority shareholder who can be squeezed out of a company, are situations which shareholders may best be advised to avoid. These risks can be amplified in long term share acquisition transactions, such as joint ventures which make use of shareholder earn-in provisions.

Regulated Private Companies in terms of the Companies Act

A private company becomes a regulated company in terms of the new Companies Act if the company expressly elects to be regarded as a regulated company in the company’s memorandum of incorporation, alternatively, if more than ten percent of the company’s issued securities have been transferred within the previous twenty four months other than by transfer between related or inter related persons.

Therefore, in the event that share transactions have taken place within the previous twenty four months a private company may potentially be classified as a regulated company. Once regarded as a regulated company the takeover regulations becomes applicable and the takeover regulation panel (TRP) becomes responsible for regulating all affected transactions, including any offer to enter into an affected transaction.

Share Transactions as Affected Transactions

The definition of affected transactions insofar as it relates to share transactions include compulsory disclosures on the acquisition of shares amounting to five percent, ten percent, fifteen percent or any further multiple of five percent of the company’s issued shares, mandatory offers requiring any shareholder who acquires enough shares to take its shareholding above thirty five percent of the shares in the company to make an offer to the remaining shareholders to purchase their shares, and compulsory acquisition and squeeze out of minority shareholders.

Affected transactions are further governed by the takeover regulations and regulated by the TRP, meaning that the parties cannot give effect to the share transaction unless the procedures set out in the takeover regulations have been complied with and the TRP has either issued a compliance certificate or granted an exemption for the transaction.

The compulsory disclosure provisions apply to any person who sells or purchases shares in a regulated company and as a result of that acquisition the person holds a beneficial interest amounting to five percent, ten percent, fifteen percent or any further multiple of five percent. The seller or purchaser must notify the company within three business days after the disposal or acquisition of the shares. Once the company has received the disclosure notice the company must file the notice with the TRP.

In addition to the compulsory disclosures a fundamental provision within the new Companies Act is the provision requiring a mandatory offer to all shareholders to acquire their shares in a company if a person acquires shares in a regulated company and as a result of that acquisition the persons shareholding increases from an amount of less than thirty five percent to an amount of thirty five percent or more.

Once this threshold is reached the shareholder is required to give notice to the remaining shareholders offering to acquire any remaining shares and must comply with the takeover regulations.

The mandatory offer provisions are designed to protect minority shareholders, however, the squeeze out provisions may work to the detriment of minority shareholders.

In terms of the squeeze out provisions minorities holding less than ten percent of the issued share capital of a company may be forced to sell their shareholding, or “squeezed out”, should an offer for the acquisition of the entire class of shares of a regulated company be made and that that offer has been accepted by holders of at least ninety percent of that class of securities.

These provisions allow an offeror to acquire the shares of a minority holding less than ten percent of the issued share capital on the same terms and conditions as the shareholders who had accepted the original offer.

A Word of Caution in Share Transactions Involving Private Companies

It becomes imperative that before shares in a private company are sold or purchased that it is determined that the private company has not elected to be a regulated company in its memorandum of incorporation and that no more than ten percent of the shares in the company have been transferred in the previous twenty four months. If so the company may be classified as a regulated company, requiring compulsory disclosures to be made with each five percent of the shares acquired, and once the threshold of thirty five percent shareholding is reached requiring a mandatory offer to acquire the remaining shares.

Caution must be taken to ensure that share transactions are structured in such a way to account for the company being classified as a regulated company.

In long term share acquisition transactions, such as joint ventures which make use of shareholder earn-in provisions, care must be taken in the drafting of the applicable contracts and the transaction should be structured to ensure that the intentions of the parties are not eroded should the company become a regulated company after the conclusion of the contracts and that both the rights of the acquiring shareholder is protected with each share tranche acquired, as well as the rights of minorities which may hold less than ten percent of the shares after the implementation of the transaction.


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

The Companies Act 2008 and Pre-Existing Shareholders Agreements

On 1 May 2013 will your company’s shareholders agreement be worth the paper that it is written on, as after this date most of what is contained in current shareholders agreements could automatically be rendered void.

This is an important corporate law consideration which must be addressed by all South African companies and their shareholders which rely on shareholders agreements concluded prior to the commencement of the Companies Act, No 71 of 2008 (the new Companies Act).

Historical Use of Shareholders Agreements

In terms of the previous Companies Act, No 61 of 1973 (old Companies Act) a company’s constitutional documents consisted of its memorandum of association and articles of association. In addition to these statutory documents, shareholders often concluded an additional shareholders agreement to regulate the internal affairs of the company.

A shareholders agreement typically provided that in the event of any conflict between the company’s articles of association and the shareholders agreement, the shareholders agreement would be the document that takes precedence. Shareholders therefore regularly used shareholders agreements to regulate important aspects of the company without the need to amend its articles of association and, by doing so, make the provisions public.

Shareholders Agreements Under the New Companies Act

The new Companies Act has, however, dramatically changed the possible scope and effectiveness of not only the new shareholders agreements concluded in terms of the new Companies Act, but also shareholders agreements which were concluded prior to the new Companies Act’s commencement date on 1 May 2011.

In terms of the new Companies Act, all shareholders agreements must be consistent not only with the provisions of the act itself, but also with companies constitutional documents, namely the memorandum of incorporation. Should there be any inconsistency between the shareholders agreement and a provision of the new Companies Act or memorandum of incorporation, the provision contained within the shareholders agreement shall be void.

A provision in a shareholders agreement which provides that the shareholders agreement will take precedence over the act or memorandum of incorporation shall itself be void and shall not provide any assistance to the shareholders.

Transitional Period

Companies which were incorporated under the old Companies Act and which had pre-existing shareholders agreements are, however, provided with a two year transitional period which ends of 30 April 2013.

During the transitional period, pre-existing companies may update their constitutional documents to comply with the provisions of the new Companies Act, and during such time should a shareholders agreement conflict with the provisions of the new Companies Act, or the company’s articles of association, the provisions of the shareholders agreement shall take precedence.

On 1 May 2013, any provision in a pre-existing shareholders agreement which directly conflicts with the new Companies Act or the company’s memorandum of incorporation will be void.

A company which takes no steps to align its current articles of association and shareholders agreement with the provision of the new Companies Act may find itself in a situation where most, if not all, provisions contained within the shareholders agreement are void as they conflict with the company’s articles of association which is automatically deemed to be its new memorandum of incorporation for the purposes of the new Companies Act.

Important provisions which are ordinarily contained within the shareholders agreement which may be void include provisions restricting or allowing the alteration or conversion of share capital, provisions regulating company meetings, provisions granting minority shareholders or specified shareholders rights to appoint directors to the company’s board, minority protection provisions including provisions which limit the board of directors powers, and provisions regulating borrowing powers and the determination and payment of dividends to shareholders.

Where to from Here?

What can be done to ensure that essential provisions contained within a shareholders’ agreement are not rendered void?

It will be necessary to determine where conflicts currently exist between the new Companies Act, articles of association and shareholders agreement.

Once conflicts have been identified, it will be necessary to determine which matters are now classified as alterable or non-alterable provisions in terms of the Companies Act.

Should any of these matters be classified as alterable or non-alterable provisions within the new Companies Act, it will not be possible for the shareholders to regulate these matters in a shareholders agreement, as non-alterable provisions cannot be altered at all, and alterable provisions can only be altered in the company’s memorandum of incorporation and not in a shareholders agreement.

Once this analysis has been done it will then be necessary to update the company’s memorandum of incorporation to deal with all alterable provisions which can only be altered in the memorandum of incorporation, and then draft an amended shareholders agreement relating to the remaining company matters.


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.