Israel Security Agency’s bulk metadata collection program came to light when used for contact tracing purposes in the wake of the Covid-19 pandemic. Although this repurposing of a national security surveillance measure for civilian ends was challenged in court, the bulk collection programs were not. Against the backdrop of this ‘Israeli Snowden moment’, a recent petition to the High Court of Justice in Israel might tip the scale towards a surveillance reform.

In recent years, Israel has been undergoing a prolonged Snowden moment. A secret counterterrorism metadata collection program, given the moniker ‘the Tool’ by the press, has been made public following its retasking for Covid-19 contact tracing purposes. Furthermore, a leading news journal recently claimed that the Israeli police has been using NSO-sourced spyware. This triggered a heated public debate on the matter.

While journalistic allegations of spyware misuse by the police are currently under internal review, Israel Security Agency’s (ISA, also known as GSS, Shin Bet, or Shabak) continued use of the Tool is undisputed. The Tool has been syphoning all the metadata of electronic communications relayed by Israeli licensed telecommunications providers: land lines, cellular services and ISPs.

This may provide an answer to those wondering why the European data retention discourse, which culminated with the full invalidation of the data retention directive by the European Court of Justice in the Digital Right Ireland case, has no Israeli equivalent. Israeli Law has no data retention provisions, as all communications metadata is transferred online to the ISA, rather than retained by service providers for future acquisition.

The legal basis for the operations of the ‘Tool’ is located in section 11 of the Israeli ISA law, which was enacted in 2002. The section was a late addendum to the draft bill in between the first reading as well as the following readings of the law, and didn’t receive much attention. ISA director at the time, Avi Dicther, later said that “we tried to pass it under the radar screen, because it was potentially a very problematic section, even though in 2002 not everybody fully understood the implications of metadata.”

While metadata acquisition by Israeli law enforcement agencies is subject to ex ante judicial review in some cases, the rules governing the ISA’s acquisition, processing, and retention of metadata are notably different. Under Section 11 of the ISA Law, the Prime Minister is authorised to set rules that define certain categories of data in keeping with statutory mandate. This includes obligations for licensed telecommunication service providers to transfer such data to the ISA. ‘Data’ is broadly defined as “excluding the content of a conversation as defined in the Wiretap Law 1979-5739.” Accordingly, all types of metadata – rather than the exhaustive list in the Communications Data Law – are applicable.

The current legal framework foresees no ex ante judicial review for any of the service’s metadata SIGINT practices. The use of data obtained thereunder is subject only to the authorisation of the ISA director. Such authorisation may be given for periods not exceeding six months, and can be renewed indefinitely. The rules governing the use, retention, security, and processing of such data are set by the Prime Minister. They are classified, like all rules set under the provisions of the ISA Law. Certain provisions in Section 13 of the telecommunications law authorise the Prime Minister to order licence holders to assist security authorities, including the ISA. For example, they may be ordered to install or configure devices. 

Challenging the Tool? Covid-19 case law

The legal basis, under which the ISA was authorised to use the Tool for contact tracing purposes, underwent several changes: from emergency regulations, to a government resolution approved by a parliamentary subcommittee, it culminated  in statutory law – albeit with a sunset clause. Each of these frameworks was challenged at the High Court of Justice.

In its jurisprudence, the Israeli High Court of Justice did not strike down any authorisation to employ the Tool for epidemiological purposes. Rather, it has gradually steered the government towards parliamentary oversight. At first, it issued an interim order in the matter of Ben Meir, following an appeal by several NGOs and activists. The powers of the ISA under the specially promulgated emergency regulations were to be suspended within a few days, unless a proper parliamentary oversight committee was established. The final ruling in Ben Meir held that a government resolution approved by a parliamentary subcommittee is an insufficient basis for authorising the ISA’s surveillance measures. If the government was to seek authorisation for the ISA’s contact tracing surveillance proper legislation would be necessary. In ACRI v. Knesset, the court did not declare the statutory law authorising ISA to engage in Covid-19 related contact tracing activities unconstitutional. Rather, it criticised the government’s flawed administrative decision-making process. The latest decision on ISA Covid-19 contact tracing authorisation was given swiftly in the wake of the Omicron wave. As the authorisation law expired, the government resorted once again to emergency regulations, which were found to be proportional by the court.

All these cases focused on a legal framework on data transfers between the ISA and the Israeli Ministry of Health. Some of the judges  involved criticised in their opinions that a counterterrorism measure is not as such suitable for civilian purposes and consequently should not simply be repurposed. However, no challenges were made against the general legal framework, under which the Tool operates for national security purposes. In the aftermath of the Omicron wave, it appears that the time has come to put this in question.

ACRI v. Director of ISA

In late May 2022, the Association for Civil Rights in Israel (ACRI) appealed to the High Court of Justice in the matter of the Tool  (HCJ 3659/22). A preliminary question is whether bulk collection programs should have a place in democratic countries, and, if so, under which conditions. One should then ask, whether these conditions apply to the case of Israel in general, and to the Tool more specifically. However, these questions should be left for future public and policy debate regarding the much needed reform in the existing legal framework under which the Tool operates, and against which the petitioners argue.

The petitioners describe how the Tool’s untargeted bulk collection operations are infringing upon the constitutional right to privacy. Under the Israeli basic law of human dignity, any such infringement must be proportional to its purpose. The petitioners list a number of substantial faults in the existing legal framework, under which the Tool operates, that render its infringement on human rights and liberties disproportional.

The lack of ex ante judicial or quasi–judicial review of metadata collection as well as the absence of independent ex post oversight mechanisms is listed among the faults of the Tool’s statutory framework.

In addition, ACRI argues that Section 11 of the ISA Law is insufficiently worded. Its language is vague and it lacks reference to substantial matters, such as the types of metadata to be collected by the Tool, their retention period, and the purposes, which will allow using the data. These matters are left for administrative decision making, rather than to the prerogative of lawmakers.

The petitioners call to narrow the scope of the purposes under which using the database will be authorised. As the ISA statutory duties include matters such as vetting for security clearances and the protection of persons, information as well as places as determined by the government, ACRI argues that the Tool should be limited only to national security related matters. Also, the petitioners point out that there are no specific safeguards and protections afforded to journalists as well as their sources.

Analysis

At this preliminary stage, it is early to predict whether the court will accept ACRI’s claims. However, the Covid-19 contact tracing case law may provide some indication as to the court’s leaning. While acknowledging the extent by which the Tool infringes upon the right to privacy, the court has never annulled any authorisation to use it even for civilian, corona-related purposes. The court was willing to accept the continued utilisation of the Tool during the first wave of the coronavirus pandemic, provided that there was sufficient parliamentary oversight in place. When the ISA authorisation law was challenged – the court did not find it unconstitutional but turned to scrutinise the government’s administrative decisions thereunder. Is there any reason to expect the court to take a more radical approach when reviewing the legal framework authorising to use the Tool for national security purposes?

In light of the court’s general tendency to defer to the authority of national security agencies – as it did for example in a 2015 FOIA case, rejecting a request to make public the annual ISA wiretapping statistics –ACRI faces an onerous challenge. The Israeli Snowden moment – pursuant to which many Israelis become aware of the ISA ubiquitous cellphone metadata surveillance, and the police’s contested use of spyware – may provide sufficient tailwind to tip the scales towards a proportionate reform in the laws of bulk metadata collection for national security purposes in Israel.