A year is a long time in politics. This time last year, back in May 2020, privacy and human rights activists, lawyers, and analysts in Israel were concerned about Covid-19 contact tracing apps. We were arguing that these apps represented a huge expansion of the ability of the government to surveil its own citizens, and that once these powers were granted to Shin Bet they wouldn’t easily be curtailed.
We were, in large part, incorrect. Though it remains the case that Israeli data privacy law is outdated, and there are still concerns over data security in the country (and not least the vulnerabilities that led to recent leaks of Facebook data), it’s now also clear that the government is taking these concerns seriously. That’s not to say, of course, that we shouldn’t continue to be watchful. But it is to say that we should give credit where it is due. In this article, we’ll do just that.
State of Exception
First, let’s look at the events that triggered rising concern about data privacy in the country. Back in March 2020, the Israeli government approved a non-voluntary mass surveillance program that allowed government agencies to track every single individual in the country in order to slow down the spread of the Covid-19 virus.
The program was headed by the Israeli Security Agency (ISA), known as Shin Bet, which is responsible for the fight against terrorism and espionage. The mobile-phone location data helped to identify people who had crossed paths with patients who had been positive for COVID19, resulting in mandatory quarantine. Despite government claims to the contrary, this represented a massive increase in the capabilities of Shin Bet, and led to them collecting an impressive amount of information on every citizen of the country.
In addition to those (like myself) who were worried about this expansion, human rights organizations also made their views clear. Some submitted a petition to the Israeli High Court of Justice arguing that the measures were a clear violation of basic human rights, specifically human dignity and privacy. At this point, many citizens were concerned that the government would use the pandemic as an excuse to track every citizen, and keep the data on file forever.
Then, however, a series of important events occurred. First, in April 2020, the High Court of Justice ruled that Shin Bet security service’s cell phone tracking of confirmed coronavirus carriers could not continue to operate due to the lack of legislation. In other words, it became apparent that data privacy and security concerns were shared by at least some judges, and that they were willing to stand up to the government, even during a crisis.
There then started a long series of claims and counter-claims, as the government attempted to push through extra surveillance powers. As a result of the increase of COVID-19 infections, in July 2020 the Israeli Parliament (Knesset) passed a temporary law authorizing the use of the Shin Bet to track civilians for six months, overruling the earlier court decision and removing the requirement that Shin Bet prove they were protecting the personal information of those they collected data from. The slippery slope here is obvious. If Shin Bet was a private company, they would have been seen to have violated just about every part of the customer service experience imaginable along the way and fallen afoul of the GDPR and just about every other set of data privacy guidelines imaginable.
This move led to yet another response from a number of prominent human rights organizations, who submitted a petition that the temporary order was unconstitutional. This time, the claim was more focused. It wasn’t that the surveillance was illegal in principle, the petition claimed — it was that it wasn’t being used in the way it should be. Rolling out surveillance to protect civilians from terrorist attacks, the petition claimed, was constitutional, but using the same powers to protect health was not.
The Wrong Target?
Now, almost a year later, these seem like small, outdated concerns. Yet it’s important, at this stage, to look back and assess what this incident can tell us about the state of data protection in our country.
The first thing to note is that, contrary to the expectations of many analysts, the government was actually barred from implementing the most extreme versions of its plans, and their temporal extent was also limited by the courts. Just recently, in fact, the High Court of Justice restricted the activity of Shin Bet. After March 14th tracking can only be used for those who don’t cooperate with epidemiological investigations.
This means, in practice, that the advanced tracing system that was developed last year will only be used as a “complementary tool” for individual cases and not as a mass surveillance tool. It is also crucial to highlight that the method used by Shin Bet has been proved not to be very efficient at tracking people. There are several cases where people have been sent wrongfully to quarantine. In other words, the Israeli government has been surprisingly inept when it comes to gaining permission to gather data and build the infrastructure required to do so.
For those concerned about protecting the privacy of data, that’s great news. Or it would be if data were not being collected by huge corporations that do not operate under Israeli law, and who are building infrastructure in the country to store this.
The Bottom Line
In short, those who worry that their data is not safe with the Israeli government might have picked the wrong target. Instead of worrying about Shin Bet, it might be more instructive to interrogate the actions of private companies in the country, especially those that relate to incidents such as the recent data-for-vaccine deal with Pfizer. Because, ultimately, at least the government can be largely held to account — if only the same could be said of multinationals.