Data Protection Issues related to Covid-19, Ressources pour chercheurs en droit

Counterterrorism measures to counter epidemics: Covid-19 contact tracing in Israel, by Amir Cahane

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com.

A woman returning to Israel on 21 February after a two-week quarantine aboard the Diamond Princess cruise ship was the first confirmed case of Covid-19 in the country. During this initial phase of the epidemic, epidemiological investigations reportedly relied on oral questioning of confirmed coronavirus carriers and manually reviewed their recent credit card history and public transportation digital logs for corroboration.

The exponential surge of confirmed Covid-19 cases to 178 within a fortnight was met with broadening restrictions on the freedom of movement in Israel, which escalated from quarantining people arriving from abroad by the middle of March to a general lockdown restricting residents to a 100-meter radius from their homes on 25 March.

In addition to these restrictions and others, a public statement by Israeli Prime Minister Benjamin Netanyahu on 14 March disclosed his government’s intention to employ advanced digital monitoring tools, mainly used for counterterrorism purposes, to track coronavirus carriers. Within several days, the government issued two emergency regulations authorizing Israel Security Agency (ISA, also known as ‘Shin Bet’ or ‘Shabak’) and the police to use communications metadata to assist with the efforts to contain the spread of the pandemic.

Government access to communications metadata in Israel

Before detailing the development of the legal framework authorizing the ISA and the police to use communications metadata to assist in the national effort to counter Covid-19, a short overview of the general legal framework governing metadata acquisition by security and law enforcement agencies is in order: Israeli police and other law enforcement authorities may seek to obtain Communications Data (defined under the Communications Data Law as ‘Location Data, Subscriber Data and Traffic Data, precluding the contents of electronic communications’) from licensed communication service providers (mainly cellular, telecom and ISPs) pursuant to a court order. The Israeli High Court of Justice ruled that under the Communications Data Law, the police may only engage in targeted acquisition of communications data within the framework of specific investigations, rather than seeking to collect bulk volumes of such metadata for general and ongoing intelligence uses.

ISA metadata acquisition, on the other hand, is not subject to ex ante judicial review. Under section 11 of the ISA Law, the service is authorized to obtain ‘Data’ from licensed providers of communication services. ‘Data’ is broadly defined as ‘including Communication Data, except Contents Data as defined in the Wiretap Law, 1979’.  A recent exposé, revealed that the ISA has been siphoning such broadly defined metadata from telecommunications licensees for more than 18 years, and storing it in a mass-volume database referred to as ‘the Tool’.

Emergency regulations: Contact tracing and enforcement of self-quarantine

Two emergency regulations were issued in mid-March to authorize coronavirus-related location surveillance. The first authorized the ISA to assist the Ministry of Health (MOH) in epidemiologic investigations – i.e., authorizing the ISA to use ‘the Tool’ to retrieve the location of people who were in close contact with coronavirus carriers (either confirmed or suspected) in the 14 days prior to their diagnosis. The ISA insisted that it will not partake in any virus-related enforcement activities, such as monitoring compliance with quarantine orders, and accordingly the second emergency regulation amended the Communication Data Law by adding provisions authorizing the police to obtain the locations of a random sample of confirmed coronavirus carriers every day in order to verify that they remained in self-quarantine.

The legal framework pertaining to coronavirus surveillance in Israel has been developing in real time throughout the crisis. Initially, the government sought to authorize ISA location tracking by adding to its statutory functions, pursuant to Section 7(b)(6) of the ISA law, and subject to the approval of the Knesset’s Intelligence Subcommittee. However, the subcommittee refused to rubber-stamp the government resolution in the short time that remained until the Knesset and the subcommittee itself were dissolved following the recent election, before the new Knesset was sworn in. The emergency regulations issued the same night were therefore a temporary legal measure until a new subcommittee was formed.

Litigation challenging the new coronavirus emergency regulations soon followed. An interim order by the High Court of Justice allowed the ISA to exercise its authorities under the regulations for several more days unless a new subcommittee was formed, and limited the scope of the authorized contact tracing to confirmed Covid-19 cases only. It further ruled that the police must refrain from using the powers that the emergency regulations granted them until further notice.

Following the formation of the new intelligence subcommittee, the High Court of Justice issued a new interim order in late March allowing the ISA powers under the emergency regulations to remain in force. The court, seeing that a memorandum to amend the Communications Data Law to replace the police emergency regulations was being drafted, revoked the previous interim order to suspend the police emergency regulations. However, despite discussions on the topic in the Intelligence Subcommittee throughout April, both the memorandum and the police location tracking activities were suspended by the end of the month.

The legal framework under Government Resolution 4950

Under Section 39 of the Israeli Basic Law: the Government, emergency regulations are enacted by the government alone, with no prerequisite parliamentary approval. However, under the ISA Law, government resolutions tasking the ISA with functions other than its statutory duties are subject to parliamentary approval of the Intelligence Subcommittee. As soon as the new Intelligence Subcommittee was formed, it began a series of five hearings discussing the amended government resolution. Unlike regular hearings by the Intelligence Subcommittee, which are not made public, some of these hearings were broadcasted live, and civil society organizations and academics were invited to provide their insights on ISA and police location surveillance of coronavirus carriers. By the end of March, the subcommittee approved the amended Government Resolution 4950 authorizing the ISA to assist in the national effort to limit the spread of Covid-19.

Government Resolution 4950 authorizes the ISA to obtain, collect and process Technological Data to help the MOH in identifying the places visited by a coronavirus carrier in the 14 days prior to the diagnosis, and to transfer Required Data to the MOH. Technological Data, which was initially undefined in the original government resolution, is defined in the amended resolution as ‘Subscriber data, Location Data and Traffic History, excluding the contents of a “conversation” in its meaning under the Wiretap Law.’ ‘Required data’ is the processed data the ISA is authorized to transfer to the MOH: either the location and route taken by a coronavirus carrier in the 14 days before diagnosis, the contact details of persons who came into close contact with each coronavirus carrier, as well as their identification number and the location and time of exposure to the carrier.

The ISA was permitted to retain the Technological Data obtained under Government Resolution 4950 only during the effective period of the resolution and delete it immediacy upon its termination. The Required Data was retained by the ISA for a period of week, and by the MOH for the entire period the resolution was in force. The MOH was further allowed to retain Required Data for an additional period of 60 days for purposes of internal review of its activities.

Government Resolution 4950 contains purpose limitation provisions pertaining to both Technological Data and Required Data. The ISA must provide the MOH only with the Required Data, pursuant to a query by the latter. All ISA internal procedures regarding handling and processing of Technological Data shall remain secret. Similar MOH internal procedures regarding contact tracing shall be drafted and made public by the MOH general counsel and approved by the attorney general. Government Resolution 4950 explicitly states that the ISA must not partake in any coronavirus-related enforcement activity nor will the ISA directly contact a coronavirus carrier or persons who have been in close contact therewith.

The resolution further contained several oversight provisions. One such provision is that the director of the ISA and an MOH representative have to report to the Intelligence Subcommittee every 6 days with statistics on contact tracing activities (While under the ISA Law, the reports of the director of the ISA to the Subcommittee regarding the usage of the ‘Tool’ are annual). The resolution was originally authorized for a limited period of 30 days, but was later extended on several occasions. Any such extension is subject to the approval of the Subcommittee, which warned during the hearings that it will not rubber-stamp extensions lacking thorough consideration of less infringing alternatives to tasking the ISA with contact tracing (considerations that must be taken by the Health Minister pursuant to Section 13 of the resolution).

The ruling in Ben Meir v. Prime Minister and its aftermath: The Machine Stops

While the resolution was still in effect, the High Court of Justice issued its ruling on the matter. The majority opinion of Chief Justice Esther Hayut in Ben Meir v. Prime Minister focused on the procedural question of whether the ISA can be authorized to assist in location tracking in a government resolution pursuant to the ISA Law, or whether the ISA’s online surveillance of Israeli citizenry for these purposes must be explicitly enacted in primary legislation. Drawing upon the Israeli nondelegation doctrine, the opinion concluded that while the urgency of the first weeks of the crisis allowed for ISA authorization under the ISA Law, by the end of April there was time enough for the Knesset to deliberate and pass primary legislation authorizing the ISA to engage in contact tracing. The court allowed that to the extent that the government shall seek to promote such legislation, the force of the resolution can be extended for a period that shall not exceed a few weeks.

Following the Ben Meir decision, the government requested the Subcommittee to approve several more extensions of Resolution 4950. The committee approved further extensions while a memorandum of a law authorizing ISA surveillance of coronavirus carriers was drafted and under review. The penultimate extension request for Government Resolution 4950 on May 26 already narrowed the scope of ISA coronavirus location tracking to “particular and unique cases wherein identification of the persons who came into close contact with the [Covid-19] patient cannot be achieved by regular epidemiological investigative methods”. On June 9, the Ministerial Committee on Legislation approved the coronavirus location tracking bill, although eventually the government decided not to bring it before the Knesset – reportedly following the request of the ISA director. ISA authorization to engage in location tracking of coronavirus carriers, which was employed only for one case (of a coronavirus carrier that could not communicate with the epidemiological investigators) in a period of two weeks, was finally extended for 48 more hours and terminated by June 11.

It should be noted that the Israeli Privacy Protection Authority (PPA) voiced its opinion in a very late stage of these developments. In a letter dated April 22 to the Ministry of Justice, a group of privacy experts expressed their concerns over the PPA’s absence from the process of drafting the emergency regulations. The PPA has since published a report about social scoring systems (in response to a suggestion to employ a similar ‘health scoring’ system for overseeing the spread of the virus, assigning a ‘health score’ to every individual in Israel), a review of contact tracing technologies, and a request for information seeking alternatives to ISA location tracking with better privacy protections.

Concluding remarks

No other democracy in the West has harnessed its security services to employ surveillance measures regularly reserved for national security purposes in order to counter the Covid-19 pandemic. The Israeli tendency to associate emergencies – even civil ones – with national security contributed to the securitization of the crisis. Another contributing factor to the decision to use the ISA’s surveillance measures was their availability, as the loose legal framework that governs ISA’s metadata collection activities allowed for the service to develop technological capabilities and methodologies that were unmatched by any other location tracking solution at the beginning of the crisis.

However, it appears that the MOH has developed a flavor for ISA assistance, as officials considered to extend its authority to a ‘2-hop’ location tracking: a second order surveillance tracking of persons who have been in close contact with persons who have been in close contact with coronavirus carriers. This idea – and others, such as utilizing private actors to develop a ‘health scoring’ system or allowing entry to indoor commercial venues only to individuals which have downloaded a special location tracking app – was eventually discarded, but all these suggestions indicate the addictive quality of online surveillance for policy makers. Accordingly, the bill authorizing the ISA to engage in location tracking of coronavirus carriers was not abandoned, but only put aside – to await the next wave of the pandemic.

Postscript: After this post went to print, the government indeed decided to push forward the bill to authorize the GSA to assist the Ministry of Health in coronavirus location tracking, given the alarming increase of confirmed coronavirus cases in Israel and the likelihood of a second wave of the pandemic. On July 1, the Knesset passed temporary statutory provisions, effective for 21 days, authorizing the ISA to assist the MOH in epidemiological investigations. While similar in nature to Government Resolution 4950, the temporary provisions contain a mechanism under which the government may issue a declaration authorizing the ISA to use its powers under the temporary provisions – and such declarations may be terminated either by the government or by the Knesset.

Amir Cahane (visiting scholar in The Federmann Cyber Security Research Center—Cyber Law Program)

For more information on the context of this e-conference

and the other papers see here

Don’t miss the next paper on

Covid-19 pandemic and data protection issues in Sweden,

by Patricia Jonason on Monday 20th July 2020 at 12 p.m. (GMT+1). 

 

 

Laisser un commentaire

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.