In 2013, Edward Snowden, an American citizen hired by a contractor to the National Security Agency (NSA), leaked thousands of classified NSA documents that exposed the global surveillance activities of the US, in cooperation with the UK, Canada and Australia.
Snowden fled to Russia and the public outcry triggered by his actions brought about statutory reforms in the US and widespread debate there and elsewhere about the way state intelligence agencies collect data online.
That debate, and the implications of surveillance for the rights to privacy of those being spied upon, needs to take place in Israel to ensure that human rights are not breached, says a report published Wednesday by the Israel Democracy Institute.
While there was lively public debate around the issue of biometric ID documents and passports in Israel and the creation of a national database containing the biometric data of all Israeli citizens, “there has been almost no discussion of the rules regulating online surveillance for security purposes; in particular, there has been little discussion of existing legislation and its compatibility with today’s social and technological realities and with human rights norms,” the report says.
Using modern technology to collect, store and analyze online communications data can yield richer and more detailed intelligence information on surveillance targets than ever before, say the researchers, Amir Cahane and Yuval Shany, the latter an expert in human rights and humanitarian law at Jerusalem’s Hebrew University who currently chairs the United Nations Human Rights Committee.
Risk of ‘significant violation of privacy’
But consideration also has to be given to the “significant violation of privacy” inflicted on the subjects of surveillance and those with whom they are in touch.
The circle of those affected grows dramatically when intelligence agencies employ “bulk collection methods,” which extract huge amounts of data about communications rather than targeting particular individuals.
Infringing the right to privacy is just one consequence of online surveillance, the report’s writers say, noting the “chilling effect” that an awareness one is being spied upon can have on people, their freedom of expression and their conduct.
Cahane and Shany discovered that Israeli law does not address the bulk collection of online communications, let alone feature provisions for exceptional circumstances in which such a mass fishing expedition might be allowed.
It does not set ground rules for how long the content and the details of those involved in the communication can be stored, in contrast with EU laws and with legislation in Germany and the UK.
Furthermore, unlike in other countries, Israeli law barely relates to online data mining — the statistical analysis of databases which may include cross-referencing with other data stores held by the government.
The two authors call on policy makers to weigh legislation for the use of open-source intelligence gathering that also uses social media.
Exceptional police powers
While private organizations use data-mining for commercial gain, the state’s “exceptional police powers” may lead to more severe violations of privacy, Cahane and Shany warn.
The report details the broad discretion that current Israeli law gives to governments to set rules for the surveillance activities of the intelligence services.
Moreover, whatever rules there are are kept secret.
“While this secrecy facilitates flexible interpretation and application of the law to meet pressing operational needs, the concealed nature of this interpretive flexibility — the soundness of which is not open to public scrutiny — means that it is liable to lead to breaches of human rights
Intelligence agencies wanting to wiretap people do not have to apply to the courts. They merely need to obtain a permit in advance from the responsible minister.
In the case of certain types of wiretap, the Wiretap Act totally exempts them from any authorization.
Judicial review of online surveillance practices, while not sweeping, does exist in countries such as Germany and the UK, the researchers find.
In the US for example, a court can appoint an external individual to ensure that applications to wiretap are not automatically rubber stamped for those making the application.
The report recommends introducing regulations to define what, where and how bodies such as the Israel Police, the Shin Bet security services and the Mossad can collect communications data online and for how long they can store it.
‘Ban bulk collection of online data’
Israeli law should prohibit the bulk collection of data unless strictly necessary in specific circumstances, in which case procedures need to guarantee that rights violations are minimized.
Legislation should define what is allowed in relation to the cross-referencing of various databases, the uses to which the results of statistical processing can be put and the extent to which that processing can be carried out automatically, and without human intervention.
It should also lay down the powers of authorities to collect publicly available information from social networks and define the limits of strategies such as fake profiles to get access to information that is not fully public.
Procedures for obtaining information from platforms such as Google and Facebook also need to be regulated by law, limited to narrow objectives involving serious crime and national security, and be open to judicial review, the report says.
Judicial review needs to be extended and judges should be given strengthened powers both to order less invasive alternatives and to ensure information is only used for the purposes required.
The report’s authors further recommend lifting the veil of secrecy on the rules according to which the various law enforcement and security bodies obtain data from telecommunications companies and — in as far as is possible – on the extent to which these bodies obtain such data and use their powers to wiretap.
Finally, say the researchers, an independent supervisory authority should be established to review the ongoing online surveillance activities of governmental bodies, to check compliance with the provisions of orders, and to advise and provide professional guidance regarding the privacy protection aspects of relevant regulation.
Failing this, the powers of the Privacy Protection Authority should be expanded so that it can supervise this online surveillance, or an ombudsman should be appointed to investigate complaints, quickly find solutions and periodically publicize its findings while keeping the complainants’ identities secret.
The heads of the security services should be obligated to report annually to the Knesset’s Constitution, Law and Justice Committee and the Foreign Affairs and Defense Committee on the number of wiretaps carried out for state security purposes.
The Israel Police should be obligated to report annually on their use of powers granted by the Criminal Procedure Law (Enforcement Powers—Communication Data), the report says.