Published by The Lawfare Institute
in Cooperation With
On March 14, Israeli Prime Minister Benjamin Netanyahu announced a plan to employ advanced digital monitoring tools, mainly used for counterterrorism purposes, to track carriers of the coronavirus and mitigate the spread of the disease it causes, COVID-19. The government moved quickly: 48 hours following Netanyahu’s statement, the government introduced the legal framework authorizing the Israel Security Agency (ISA, also known as “Shabak” or “Shin-Bet”) and the police to use metadata for these purposes.
Within this 48-hour period, the government received heavy criticism regarding its intention to deploy online surveillance measures to track down citizens in a manner previously reserved for counterterrorism measures, without proper safeguards and oversight mechanisms against excessive interference with the right to privacy. The government originally meant to introduce some of these measures by passing a resolution to harness the ISA’s location-tracking abilities. Under the 2002 ISA Law, which provides the legal basis for the operations of the ISA, such resolution is subject to parliamentary approval of the Knesset’s intelligence and secret services subcommittee.
However, the coronavirus crisis has found Israel in political disarray. The country has had three deadlocked elections within a year, the most recent of which was held in early March. The intelligence and secret services subcommittee was scheduled to discuss the proposed government resolution regarding location tracking just hours before the Knesset was dissolved and the newly elected parliament was to be sworn in. But due to the many comments made by the subcommittee’s legal advisers, this last-minute discussion of the draft resolution was not completed before the subcommittee was dissolved as the new Knesset was sworn in. As a result, the government’s resolution was not approved.
In lieu of parliamentary approval, the government enacted emergency regulations authorizing the ISA to use metadata and the police to use location data to handle the coronavirus outbreak. Several nongovernmental organizations challenged the constitutionality of the regulations in the Israeli High Court of Justice, which issued an interim order in Ben Meir v. Prime Minister limiting the use of the powers under the emergency coronavirus regulations by the ISA and forbidding their use by the police until further notice.
The ISA Program
The ISA Emergency Coronavirus Regulations (“Authorizing the Israel Security Agency to Assist in the National Efforts to Reduce the Spread of the Novel Coronavirus”) authorize the ISA to receive, collect and process “technological data” for the purpose of assisting the Ministry of Health in conducting epidemiological investigations to reduce and prevent the spread of the novel coronavirus. The data should be used to identify the location data and movement routes of coronavirus carriers in the 14 days preceding their diagnosis as carriers, along with the identity of individuals who came into close contact with them.
Originally, the regulations allowed data to be collected about confirmed carriers who tested positive for the virus, along with individuals determined by a doctor to be carriers under the Health Ministry’s guidelines even if positive lab results have yet to be received. The Ben Meir interim decision narrowed the definition of coronavirus carriers to confirmed carriers only. The Supreme Court also limited the ISA’s exercise of these powers to March 24—five days after the order was given. If, by March 24, the relevant parliamentary committees overseeing the implementation of the regulations are not formed, the ISA will no longer be able to use these authorities.
“Technological data” is a term of art shrouded with mystery. Defined in the regulations as “excluding the contents of a 'conversation' in its meaning under the Wiretap Law,” the term carries the widest understanding of metadata—anything that is not content. This definition can be traced to the 2002 ISA Law, which authorizes the ISA to use “[d]ata obtained from communication licensees.” Such data is defined as including communication data and excluding the contents of a “conversation” in its meaning under the Wiretap Law. For unclear reasons, the term “metadata” in the regulations was supplemented with the adjective “technological”—which may or may not signify that the techniques employed by the ISA are not confined to cellular location tracking, as was assumed earlier.
Adding to the obscurity of the term “technological data,” the regulations differentiate between such data and its “products.” The ISA is authorized to use the data and any further information derived from it only for the aforementioned purpose of assisting the Ministry of Health in conducting epidemiological investigations. A similar limitation applies to the use of the data by other government authorities—yet the wording of the regulation gives no instructions as to whether use of the data’s “products” is also limited.
The regulations establish a procedure under which the Ministry of Health may submit a query (an “assistance request”) for data to a senior ISA member. Once the Ministry of Health shares the infected individual’s name, ID number (provided by the government to all Israeli citizens) and phone number, the ISA will provide the representative of the Ministry of Health with “the data required to the Ministry of Health only”—which is based on the products of the ISA’s assistance activities—regarding the individuals who came into close contact with said carrier. It is unclear whether such data shall include the full route of such individuals since they made close contact with the carrier, or just their identifying data, in order to contact them and further instruct them on how to behave during their illness. The data required by the Ministry of Health is to be determined in specific internal procedures to be established under Section 3(a) of the ISA Emergency Coronavirus Regulations.
Under Section 6 of the ISA Emergency Coronavirus Regulations, the Ministry of Health shall establish specific rules, subject to the approval of the attorney general, in connection with the aforementioned assistance requests. It must also establish procedures for the handling, use and deletion of the data, including limiting the circle of personnel authorized to access it. Both the ISA and the Ministry of Health shall provide a report to the attorney general at a later date—still to be determined under the regulations—which will include, at a minimum, the number of coronavirus carriers whose technological data was collected, the number of individuals identified by the ISA as being in close contact with coronavirus carriers, and the “purging status” of data obtained under the regulations.
The regulations further state that although the Ministry of Health shall not transfer any data received from the ISA, the ministry can still use the data to warn the public or particular individuals regarding potential contraction of the coronavirus. The regulations do not prohibit the Ministry of Health from adding names of individuals to the government’s list of persons under quarantine, to which the police have access.
The ISA Emergency Coronavirus Regulations will be in force for a period of 14 days, following which any data received and retained by the Ministry of Health shall be purged—except data required by the ministry for internal inspection of its activities posthoc, which may be retained for an additional period of 60 days.
The ISA has stressed that it will not take part in any quarantine-enforcement-related monitoring. Accordingly, the regulations provide that the ISA shall not partake in the enforcement of any quarantine orders, nor may the ISA directly contact coronavirus carriers or individuals who were in close contact therewith.
The Police Program
The Police Coronavirus Location Data Regulations are an emergency amendment to the 2007 Israeli Communication Data Law, which governs law enforcement access to communication data. Under the Communication Data Law, the police and other law enforcement authorities may seek to obtain communication data from licensed providers of communication services (mainly cellular and telecommunication companies and internet service providers) pursuant to a court order. In urgent cases, a designated police officer may approve a direct, time-limited order to licensees to provide communication data to law enforcement authorities.
As amended by the regulations, the law now includes an additional procedure under which a designated senior officer may allow, pursuant to a police officer’s request, the obtaining of location data without any judicial review. This can be done for the purposes of either obtaining location data for a carrier of the coronavirus—in order to warn the public or particular individuals regarding potential contraction of the virus—or obtaining the location data of an individual subject to a quarantine order for monitoring purposes. The Supreme Court in Ben Meir ordered the police to refrain from exercising this power under the regulations until further notice.
Location data acquired for the first purpose—that is, location data for coronavirus carriers obtained to warn the public or individuals—will be purged upon the expiration of the regulations. (Unless extended, they are set to expire after a period of three months, on June 16.) However, the Ministry of Health may retain this data for purposes of internal inspection post hoc for an additional 60 days, similar to the provisions of the ISA regulations. Also, location data obtained for this purpose may be used only to exercise enforcement power under Part 4 of the 1940 Public Health Ordinance, which serves as the legal basis for government control of infectious diseases and as the authority for orders to quarantine individuals who may be infected with the coronavirus.
Location data of quarantined individuals obtained in order to monitor compliance with quarantine orders is limited to the last location datum of a subscriber intercepted by a communication license holder. Such monitoring shall be performed by “sampling” only—that is, randomized requests for the location of individuals under quarantine—and not in a continuous or ongoing manner. The police are allowed to transfer such data to the Ministry of Health for quarantine oversight purposes, and the use of this data is limited to these purposes only.
The division of labor under the scheme outlined by the emergency coronavirus regulations is clear. The ISA, whose technological abilities are superior to that of the police, is tasked with epidemiological investigations—which, reportedly, relied up until now on oral questioning of identified carriers and review of their recent credit card history and public transportation digital logs—and the tracking of all potential coronavirus carriers. The police, meanwhile, are given powers to enforce quarantine.
This delimitation may shed light on the signals intelligence capabilities of the ISA versus those held by the police. While police powers are limited, pursuant to a 2012 ruling of the Israeli High Court of Justice in Association for Civil Rights in Israel v. Israeli Police, to targeted acquisition of communication data under the Communication Data Law, ISA signals intelligence practices are governed by laxer constraints. The government’s insistence on using the ISA rather than the police for nontargeted surveillance—that is, the detection of the unknown individuals in close contact with coronavirus carriers—strongly suggests that the ISA already uses similar measures for counterterrorism purposes.
However, the ISA’s powers under the regulation will expire once it completes its assistance to the Ministry of Health’s epidemiological investigations. But the powers conferred to the police will remain in place for a much longer period—until June 2020, if not extended further. This may indicate that the government expects that containment of coronavirus carriers—under quarantine and through other restrictive measures outlined in the Public Health Ordinance—will need to carry on well into the summer.
The two emergency coronavirus regulations refrain from explicitly setting safeguards and controls against misuse of the personal data obtained under the regulations, deferring the design of such procedures to a later date. It may also be the case that such procedures shall remain confidential, even if they adequately balance protecting both privacy rights and public health.
Safeguards against misuse of personal data and interference with the right to privacy are lacking under the regulations. But Israel also has no external and independent intelligence oversight body that can oversee the implementation of the emergency coronavirus regulations: Both ISA and police acquisition and use of “technological” and location data are not subject to ex ante judicial or quasi-judicial review, and the ex post review made by the attorney general—who will receive a limited post hoc report under the ISA Coronavirus Technological Data Regulations—and the currently nonexistent Knesset intelligence and secret services subcommittee might be too little and too late.
The Supreme Court’s interim decision does not necessarily signify that cellular location tracking powers conferred under the emergency coronavirus regulations are off the table completely. If, by five days after the court’s decision, the applicable parliamentary oversight committees are formed, the ISA will be able to exercise its powers under the regulations for the full 14 day period set out in the regulations. While the court ordered the police to refrain from exercising its powers under the regulations, it did not declare these powers to be illegal and left open the possibility that they might be found to be proportional to the unusual circumstances if more nuanced restrictions on police authority are imposed.
The court did, however, stress the importance of parliamentary oversight of the intelligence community and of legislation regulating the use of powers interfering with human rights, as well as the importance of detailed rules constraining that authority. In ordering the police to refrain from exercising its powers under the regulations, the court noted that the drafting of the internal procedures regulating that exercise was not yet complete. But the court also left open the possibility that these internal safeguards may remain confidential, stating that the powers under the ISA Emergency Coronavirus Regulations shall be exercised pursuant to “the classified guidelines that were presented to us ex parte and were approved by the Attorney General.”
The discussion over the regulations represents a rare instance of debate over the ISA’s surveillance powers and oversight of the ISA in Israeli public discourse. It is unclear whether the Ben Mier interim and final decisions will be framed as relating narrowly to the coronavirus crisis or to internal political squabbles, or whether the final ruling of the Supreme Court in this case will make a more significant contribution to the thin body of law governing Israeli signals intelligence practices.