“We’ve got monsters.” That’s how Sasson (Sassi) Elia, the outgoing head of the Information Systems Technology division of the Israel Security Agency (also known as Shin Bet or Shabak), characterized the organization’s technological capacity. One of the Shin Bet’s longtime monsters is “The Tool,” the database into which telecommunication licensees (the cellular, internet, and landline service provider) feed a wide variety of communications metadata about the traffic passing through them. The Tool includes not only the metadata that the Israel Police can obtain by means of a court order (location, identity and traffic) but also metadata in a broader sense – that is, everything except the actual communications content, as defined by the Wiretap Law. For the last two decades, the Tool has been siphoning metadata about each and every Israeli citizen.
Monday, nearly a year after the ministry of health began utilizing the Shin Bet’s surveillance measures for COVID-19 location tracking, the High Court of Justice ruled that the Shin Bet will curtail its coronavirus cellular location tracking activities and limit them to cases of a refusal or inability to cooperate with epidemiological investigations.
Is it really possible to put an end to the Shin Bet’s bulk coronavirus surveillance and focus on a limited number of specific cases, as the ruling stipulates? The answer is a simple no. Public discourse regarding Shin Bet location tracking of confirmed coronavirus carriers and those with whom they have been in close contact has at times created the impression that the Shin Bet’s collection capabilities were being employed especially towards this end. In fact, The Tool will continue to track each and every one of us; the only difference is that Shin Bet’s authority to run queries on the data it gathers in order to facilitate epidemiological investigations will be curtailed (and eventually eliminated, as the law authorizing coronavirus surveillance is set to expire by early July).
In media interviews, senior Shin Bet officials regarded the database as an endless collection of points in cyberspace that don’t mean anything as long as no one accesses them. In their view, as long as the data have not been scanned by a human eye, their mere collection poses no threat to human rights. However, the coronavirus pandemic has taught us in no uncertain terms that Israel’s knee-jerk decision to rely on the Shin Bet to deal with a civilian crisis has had a chilling effect. The low number of downloads of the Magen 2.0 contact tracing application and marginal other developments including a bump in purchases by young people of unidentifiable ‘dumb’ cellphones indicate the real-world impact of the ongoing tracking of people’s movements.
The dozens of hearings on this issue held by the Knesset Foreign Affairs and Defense Committee did not revolve around the question of whether the Shin Bet should be permitted to partake in bulk surveillance of the country’s residents, but only around the information transfer interface between the Shin Bet to the Ministry of Health. Along the way, substantial questions were obscured. For example, whether there is a real need for the Shin Bet to retain the history of Israelis’ phone calls and movements; and what safeguards are in place to ensure that the data is not misused or accessed without proper authorization.
The Shin Bet’s internal controls of The Tool, and the service’s willingness to limit itself voluntarily, are not enough. Despite the many Foreign Affairs and Defense Committee sessions, the effectiveness of parliamentary oversight has been shown to be problematic. And in any case, the Committee dragged its feet and ultimately proved unable to promote a civilian alternative to the Shin Bet coronavirus location tracking.
The last few months have demonstrated that given the existence of this treasure trove of data, it was only a matter of time until other agencies would ask to make use of it. In the past, the Shin Bet turned down a number of such requests, but occasionally allowed the police access to its data. Recent reports about an internet monitoring system operated by the Israel Police indicate that other organizations are eager to obtain similar data-collection capacity and demonstrate how important it is to keep an eye on them.
A public and far more transparent debate regarding intelligence and law-enforcement agencies’ online surveillance measures is necessary, as well, regarding appropriate legislation (rather than mere classified rules) that will regulate their use and oversight. For example, in a recently published study, I proposed the establishment of an independent oversight body, similar to the British model; in his book, Eli Bahar, the former legal advisor to the Shin Bet, proposed removing the Tool from the Shin Bet and placing it in the hands of a separate organization (similar to the situation in the Netherlands), along with changes in access policies and a narrower purposive scope of the database.
Within two weeks, the Shin Bet will narrow the scope of its assistance to the epidemiological investigations — and that would be a good thing. However, The Tool and the other “monsters” in the service of the Shin Bet are still with us. Until their use is regulated by detailed and transparent legislation and placed under effective oversight, the public might be well-advised to keep cellphones in flight mode.